Don't run as Administrator! 2

[SundialServices]

Windows gets a very bad rap for being "virus friendly," for one reason above-all ... which also happens to be a reason that it does not deserve. That is: most users run as Administrator, all the time, with no password.

In my experience, you can drastically reduce the problem of spyware, viruses, and everything-else JUST by setting yourself to be a non-administrator ("limited") user (or users...), thus voluntarily limiting your own powers on the computer EXCEPT when you are actively installing system updates.

Never respond to any prompt asking for an administrative password... log on as the administrator, instead. Do the work, then log off.

If you "wear many hats" at your (one-man?) company, have many users for yourself as well. If your accountant would have his/her own office, there should be a separate account, too. The files that would be locked in the private cabinet within that office... should be out-of-sight on the computer, too.

A "limited account" can't do global things, and most viruses and such want to do global things. Most of them can't do anything particularly harmful without the Administrator privileges that they are, unfortunately, quite accustomed to.

 

[jsteph]

which also happens to be a reason that it does not deserve.

I'd agree with that if all the home users and every one else explicitely went into the user MMC and set themselves up as Administrator. But they didn't--Microsoft set the default user on every new install of XP Home and XP Pro as part of Administrators group.
--Jim

 

[sggaunt]

But remember that some programs wont run propery/at all in Limited mode, and personally I have had problems with SpybotS&D in 'limited user mode'

Steve: Delphi a feersum engin indeed.

 

[pechenegs]

I agree, you can hardly do anything in limited mode, and it takes the fun and control out of computing if your going to have to constantly switch from admin to limited user mode just to carry out everyday tasks!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[MasterRacker]

You might not be able to run limited all the tmie, but you can certainly use DropMyRights to run specific programs like your browser under lower privileges.

[sub]Jeff
[purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day

"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/sub]

 

[jsteph]

That DropMyRights looks great!

I've tried it at home, and verified with ProcExp that the tokens are removed, so it seems to work well.

Can anyone give me a 'typical' example (it wasn't clear in the msdn article) of what may be denied when running as Normal user? For instance, I went to a driver download site and was able to download a file (with a prompt of course), but I'm wondering what typical browsing tasks might be noticeably restricted when running as a 'Normal' user as opposed to Admin?
--Jim

 

[spizotfl]

i've has problems in xp home getting to network shares on a home network.

 

[MasterRacker]

I haven't noticed restrictions per se. You are going to be prevented from modifying system files, drive-by installations etc.

_____
Jeff[sub]
[purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
[/sub][sup]
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/sup]

 

[Sympology]

Nobody noticed a fundemental flaw here.

Try telling a average pc user to go and download a piece of software so that they can't do as much on a PC!

You could bleat on all day about spyware and viruses, but lets face it, they just won't bother. If they were that concered they wouldv'e already installed AV and AS software.

IMHO, it should be madatory for ISP's to insist all machines have up to date AV software installed.
If this happened 99% of viruses would die and spam would be reduced massivly.
But it'll never happen.



Only the truly stupid believe they know everything.
Stu.. 2004

 

[BadBigBen]

@Stu - I agree with ya fully... Joe Shmoe of the street will not bother at all, and then blame you when it does not work right or he gets bombed by malware (happened to me)...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[porkchopexpress]

I run my laptop as a limited user all the time and have no problems, most issues can be sorted by giving the account write access to any program folders that cause problems (but most well written apps will be fine).

Also remember that you don't have to keep switching users to make small admin changes. Simply use 'runas' to elevate an instance of IE to admin level from there you can access anything inc control panel with admin rights, when you have done close the window and you are back to a restricted user.

Running as a restricted user takes a bit of getting used to and certainly isn't for your average user, unfortunatly we will have to wait for Vista for MS to bring this to the masses.

 

[AndrewTait]

Try deleting a unrequired print job from an account with limited access (particularly on XP Home).

It does not work!

So often times it happens that we live our lives in chains
And we never even know we have the key

 

[porkchopexpress]

Never tried with home but like i say it will work from an admin shell within the restricted session in XP Pro.

 

[sggaunt]

What joe smo on the street gets infected with, can't be my first priority.
First priority is my own machines and the ones I am responsible for (joes smo's that I know).

Getting shut of internet born rubbish should be the resposibility of ISP's/Govermnments in my opinion, If they can't/won't do it, then I will protect my own to the best of my ability.

Steve: Delphi a feersum engin indeed.

 

[Sympology]

What joe smo on the street gets infected with, can't be my first priority."

Unfortuantly it's this muppet that gives us so many Viruses and so much Spam. Remove this weak link and IT life would be so much easier.

Only the truly stupid believe they know everything.
Stu.. 2004

 

[sggaunt]

Too True, but as an individual what can You or I do about it?



Steve: Delphi a feersum engin indeed.

 

[Sympology]

Give them a BIG RED BUTTON with "Do Not Touch" written on it and when they will do, kill the electricty to their house, forever ! Hee hee hee

Only the truly stupid believe they know everything.
Stu.. 2004